1 /* Crypto operations using stored keys
3 * Copyright (c) 2016, Intel Corporation
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License
7 * as published by the Free Software Foundation; either version
8 * 2 of the License, or (at your option) any later version.
11 #include <linux/mpi.h>
12 #include <linux/slab.h>
13 #include <linux/uaccess.h>
14 #include <linux/crypto.h>
15 #include <crypto/hash.h>
16 #include <keys/user-type.h>
20 * Public key or shared secret generation function [RFC2631 sec 2.1.1]
26 * where xa is the local private key, ya is the local public key, g is
27 * the generator, p is the prime, yb is the remote public key, and ZZ
28 * is the shared secret.
30 * Both are the same calculation, so g or yb are the "base" and ya or
31 * ZZ are the "result".
33 static int do_dh(MPI result, MPI base, MPI xa, MPI p)
35 return mpi_powm(result, base, xa, p);
38 static ssize_t mpi_from_key(key_serial_t keyid, size_t maxlen, MPI *mpi)
45 key_ref = lookup_user_key(keyid, 0, KEY_NEED_READ);
46 if (IS_ERR(key_ref)) {
51 key = key_ref_to_ptr(key_ref);
54 if (key->type == &key_type_user) {
56 status = key_validate(key);
58 const struct user_key_payload *payload;
60 payload = user_key_payload_locked(key);
64 ret = payload->datalen;
65 } else if (payload->datalen <= maxlen) {
66 *mpi = mpi_read_raw_data(payload->data,
69 ret = payload->datalen;
83 struct shash_desc shash;
87 static int kdf_alloc(struct kdf_sdesc **sdesc_ret, char *hashname)
89 struct crypto_shash *tfm;
90 struct kdf_sdesc *sdesc;
93 /* allocate synchronous hash */
94 tfm = crypto_alloc_shash(hashname, 0, 0);
96 pr_info("could not allocate digest TFM handle %s\n", hashname);
100 size = sizeof(struct shash_desc) + crypto_shash_descsize(tfm);
101 sdesc = kmalloc(size, GFP_KERNEL);
104 sdesc->shash.tfm = tfm;
105 sdesc->shash.flags = 0x0;
112 static void kdf_dealloc(struct kdf_sdesc *sdesc)
117 if (sdesc->shash.tfm)
118 crypto_free_shash(sdesc->shash.tfm);
123 /* convert 32 bit integer into its string representation */
124 static inline void crypto_kw_cpu_to_be32(u32 val, u8 *buf)
126 __be32 *a = (__be32 *)buf;
128 *a = cpu_to_be32(val);
132 * Implementation of the KDF in counter mode according to SP800-108 section 5.1
133 * as well as SP800-56A section 5.8.1 (Single-step KDF).
136 * The src pointer is defined as Z || other info where Z is the shared secret
137 * from DH and other info is an arbitrary string (see SP800-56A section
140 static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen,
141 u8 *dst, unsigned int dlen)
143 struct shash_desc *desc = &sdesc->shash;
144 unsigned int h = crypto_shash_digestsize(desc->tfm);
148 u8 iteration[sizeof(u32)];
151 err = crypto_shash_init(desc);
155 crypto_kw_cpu_to_be32(i, iteration);
156 err = crypto_shash_update(desc, iteration, sizeof(u32));
161 err = crypto_shash_update(desc, src, slen);
169 err = crypto_shash_final(desc, tmpbuffer);
172 memcpy(dst, tmpbuffer, dlen);
173 memzero_explicit(tmpbuffer, h);
176 err = crypto_shash_final(desc, dst);
189 memzero_explicit(dst_orig, dlen);
193 static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc,
194 char __user *buffer, size_t buflen,
195 uint8_t *kbuf, size_t kbuflen)
197 uint8_t *outbuf = NULL;
200 outbuf = kmalloc(buflen, GFP_KERNEL);
206 ret = kdf_ctr(sdesc, kbuf, kbuflen, outbuf, buflen);
211 if (copy_to_user(buffer, outbuf, buflen) != 0)
219 long __keyctl_dh_compute(struct keyctl_dh_params __user *params,
220 char __user *buffer, size_t buflen,
221 struct keyctl_kdf_params *kdfcopy)
224 MPI base, private, prime, result;
226 struct keyctl_dh_params pcopy;
230 struct kdf_sdesc *sdesc = NULL;
232 if (!params || (!buffer && buflen)) {
236 if (copy_from_user(&pcopy, params, sizeof(pcopy)) != 0) {
244 if (buflen > KEYCTL_KDF_MAX_OUTPUT_LEN ||
245 kdfcopy->otherinfolen > KEYCTL_KDF_MAX_OI_LEN) {
250 /* get KDF name string */
251 hashname = strndup_user(kdfcopy->hashname, CRYPTO_MAX_ALG_NAME);
252 if (IS_ERR(hashname)) {
253 ret = PTR_ERR(hashname);
257 /* allocate KDF from the kernel crypto API */
258 ret = kdf_alloc(&sdesc, hashname);
265 * If the caller requests postprocessing with a KDF, allow an
266 * arbitrary output buffer size since the KDF ensures proper truncation.
268 keylen = mpi_from_key(pcopy.prime, kdfcopy ? SIZE_MAX : buflen, &prime);
269 if (keylen < 0 || !prime) {
270 /* buflen == 0 may be used to query the required buffer size,
271 * which is the prime key length.
277 /* The result is never longer than the prime */
280 keylen = mpi_from_key(pcopy.base, SIZE_MAX, &base);
281 if (keylen < 0 || !base) {
286 keylen = mpi_from_key(pcopy.private, SIZE_MAX, &private);
287 if (keylen < 0 || !private) {
292 result = mpi_alloc(0);
298 /* allocate space for DH shared secret and SP800-56A otherinfo */
299 kbuf = kmalloc(kdfcopy ? (resultlen + kdfcopy->otherinfolen) : resultlen,
307 * Concatenate SP800-56A otherinfo past DH shared secret -- the
308 * input to the KDF is (DH shared secret || otherinfo)
310 if (kdfcopy && kdfcopy->otherinfo &&
311 copy_from_user(kbuf + resultlen, kdfcopy->otherinfo,
312 kdfcopy->otherinfolen) != 0) {
317 ret = do_dh(result, base, private, prime);
321 ret = mpi_read_buffer(result, kbuf, resultlen, &nbytes, NULL);
326 ret = keyctl_dh_compute_kdf(sdesc, buffer, buflen, kbuf,
327 resultlen + kdfcopy->otherinfolen);
330 if (copy_to_user(buffer, kbuf, nbytes) != 0)
349 long keyctl_dh_compute(struct keyctl_dh_params __user *params,
350 char __user *buffer, size_t buflen,
351 struct keyctl_kdf_params __user *kdf)
353 struct keyctl_kdf_params kdfcopy;
356 return __keyctl_dh_compute(params, buffer, buflen, NULL);
358 if (copy_from_user(&kdfcopy, kdf, sizeof(kdfcopy)) != 0)
361 return __keyctl_dh_compute(params, buffer, buflen, &kdfcopy);